From d4f1cdd77775a1af2139d82207d6ed0248b860a5 Mon Sep 17 00:00:00 2001
From: Christian Schneider
Date: Thu, 31 May 2007 14:26:33 +0000
Subject: Fix XSS possibility and var visibility

---
 banner/banner.class | 74 +++++++++++++++++++----------------------------------
 1 file changed, 26 insertions(+), 48 deletions(-)

diff --git a/banner/banner.class b/banner/banner.class
index 37ae213..b0b241a 100644
--- a/banner/banner.class
+++ b/banner/banner.class
@@ -213,75 +213,53 @@ function render_banner($banner, $nocount = false)
 		$banner['width'] = $this->p['width'];
 	if ($this->p['height'])
 		$banner['height'] = $this->p['height'];
-	$l = $banner['locationid'];
-	if (strlen($banner['matchingkeyword']) + strlen($banner['matchingcategory']) + strlen($banner['matchingregion']) + strlen($banner['language']) > 0)
-		$l .= "|" . $banner['matchingkeyword'];
-	if (strlen($banner['matchingcategory']) + strlen($banner['matchingregion']) + strlen($banner['language']) > 0)
-		$l .= "|" . $banner['matchingcategory'];
-	if (strlen($banner['matchingregion']) + strlen($banner['language']) > 0)
-		$l .= "|" . $banner['matchingregion'];
-	if (strlen($banner['language']) > 0)
-		$l .= "|" . $banner['language'];
-	$l = str_replace("/", "_", $l);
-
-	$rand = $this->rand;
+
+	$l = it::replace("/" => "_", rtrim($banner['locationid'] . "|" . $banner['matchingkeyword'] . "|" . $banner['matchingcategory'] . "|" . $banner['matchingregion'] . "|" . $banner['language'], "|"));
 
 	$pathinfo = "/c=" . $banner['campaignid'] . ":" . urlencode($banner['campaignname']) . "/b=" . $banner['bannerid'] . ":" . urlencode($banner['bannername']) . "/l=" . urlencode($l);
 	$nocountinfo = $nocount ? "/nocount=1" : "";
-	$viewpre = $this->p['server'] . "view.html$pathinfo$nocountinfo/img=";
-	$clickpre = $this->p['server'] . "click.html$pathinfo/url=";
-	$clickpreenc = urlencode($clickpre);
-	$auditurl = $viewpre . "empty.gif";
-
-	$keyword = $this->p['keyword'];
-	$keyword = preg_replace('/<country_[^>]*>/', '', $keyword);
-	$keyword = ereg_replace('\]\[', ' ', $keyword);
-	$keyword = ereg_replace('^\[ +', '', $keyword);
-	$keyword = ereg_replace(' +\]$', '', $keyword);
-	$keywordhtml = htmlentities(substr($keyword, 0, 30));
-	$keywordurl = urlencode($keyword);
-
-	extract($this->p['vars'], EXTR_SKIP);
-
-	while (eregi("__([a-z]*)__", $banner['alttext'], $r))
-		$banner['alttext'] = str_replace($r[0], ${strtolower($r[1])}, $banner['alttext']);
-	while (eregi("__([a-z]*)__", $banner['extraline'], $r))
-		$banner['extraline'] = str_replace($r[0], ${strtolower($r[1])}, $banner['extraline']);
-	while (eregi("__([a-z]*)__", $banner['path'], $r))
-		$banner['path'] = str_replace($r[0], ${strtolower($r[1])}, $banner['path']);
-	while (eregi("__([a-z]*)__", $banner['url'], $r))
-		$banner['url'] = str_replace($r[0], ${strtolower($r[1])}, $banner['url']);
-	$viewurl = $viewpre . $banner['path'];
-	$clickurl = $clickpre . $banner['url'];
-	while (eregi("__([a-z]*)__", $banner['data'], $r))
-		$banner['data'] = str_replace($r[0], ${strtolower($r[1])}, $banner['data']);
+	$keyword = it::replace('<country_[^>]*>' => "", '\]\[' => "", '^\[ +' => "", ' +\]$' => "", $this->p['keyword']);
+	$vars = array(
+		'viewpre' => $this->p['server'] . "view.html$pathinfo$nocountinfo/img=",
+		'clickpre' => $this->p['server'] . "click.html$pathinfo/url=",
+		'clickpreenc' => urlencode($clickpre),
+		'auditurl' => $viewpre . "empty.gif",
+		'keyword' => $keyword,
+		'keywordhtml' => substr($keyword, 0, 30),
+		'keywordurl' => urlencode($keyword),
+		'viewurl' => $viewpre . $banner['path'],
+		'clickurl' => $clickpre . $banner['url'],
+		'rand' => $this->rand,
+	) + $this->p['vars'];
+
+	foreach (array('alttext', 'extraline', 'path', 'url', 'data') as $field)
+	{
+		while ($var = it::match("__([a-z]+)__", $banner[$field]))
+			$banner[$field] = str_replace("__{$var}__", htmlspecialchars($vars[strtolower($var)]), $banner[$field]);
+	}
 
 	switch ($banner['type'])
 	{
 		case 0:
-			if (eregi('&', $viewurl) && !eregi('&[a-z]+;', $viewurl))
-				$viewurl = htmlspecialchars($viewurl);
-
-			if (eregi('&', $clickurl) && !eregi('&[a-z]+;', $clickurl))
-				$clickurl = htmlspecialchars($clickurl);
-
 			if($banner['url'] != 'http://')
 			{
-				$linkstart = "<a href=\"$clickurl\" target=\"" . urlencode($this->p['target']) . "\">";
+				$linkstart = "<a href=\"" . htmlspecialchars($vars['clickurl']) ."\" target=\"" . htmlspecialchars($this->p['target']) . "\">";
 				$linkend   = "</a>";
 			}
 
-			echo "$linkstart<img src=\"$viewurl\" alt=\"" . $banner['alttext'] . "\" width=\"" . $banner['width'] . "\" height=\"" . $banner['height'] . "\" border=\"0\" />$linkend";
+			echo "$linkstart<img src=\"" . htmlspecialchars($vars['viewurl']) .  "\" alt=\"" . $banner['alttext'] . "\" width=\"" . $banner['width'] . "\" height=\"" . $banner['height'] . "\" border=\"0\" />$linkend";
 
 			if (strlen($banner['extraline']) > 0)
 				echo "<br />$linkstart" . $banner['extraline'] . $linkend;
 
 			if (strlen($banner['extraline']) == 0 && $this->p['addextraline'])
 				echo "<br />&nbsp;";
-		break;
+			break;
+
 		case 1:
 			echo $banner['data'];
 			break;
+
 		case 2:
 			if ($this->p['enablephpbanners'])
 				eval("?>" . $banner['data']);
-- 
cgit v1.2.3